Roles that Grant Access to App Engine
Roles determine which services and actions are available to a user account orservice account. The following types of roles grant access to App Engine:
Basic roles which apply to all services and resources in aproject, including but not limited App Engine. For example, an accountwith the Editor role can change App Engine settings as well as CloudStorage settings.
Predefined App Engine roles, which providegranular access to App Engine. Each service in yourGoogle Cloud project provides its own predefined roles. For example, anaccount that only has the App Engine Deployer rolecan deploy App Engine apps but cannot view or create objectsin Cloud Storage. Such an account would also need a specificCloud Storagepredefined role to create or view objects in Cloud Storage.
Custom roles,which provide granular access according to a list of permissions you specify.
You can use basic roles when you are working on smaller projects that haveless complex needs. For more fine-tuned access controls, use predefined roles.
Basic roles
Basic roles apply to all services and resources in a project. For example, anaccount in the Editor role can change App Engine settings as well asCloud Storage settings.
| Role | Google Cloud console permissions | Tools permissions |
|---|---|---|
Owner | Required to create App Engine applications. All viewer and editor privileges, plus the ability to view deployed source code, invite users, change user roles, and delete an application. Hasadmin privileges to all resources in the project. | Required to create App Engine applications. Can also deploy application code and update all configurations. |
Editor | View application information and edit application settings. Hasadmin privileges to all resources in the project. | Deploy application code, update indexes/queues/crons. |
Viewer | View application information. Hasadmin privileges to all resources in the project. | Request logs |
Predefined App Engine roles
| Role | Permissions |
|---|---|
App Engine Admin( Read/Write/Modify access to all application configuration and settings. To deploy new versions, a principal must have theService Account User( Lowest-level resources where you can grant this role:
|
|
App Engine Creator( Ability to create the App Engine resource for the project. Lowest-level resources where you can grant this role:
|
|
App Engine Viewer( Read-only access to all application configuration and settings. Lowest-level resources where you can grant this role:
|
|
App Engine Code Viewer( Read-only access to all application configuration, settings, and deployedsource code. Lowest-level resources where you can grant this role:
|
|
App Engine Managed VM Debug Access( Ability to read or manage v2 instances. |
|
App Engine Deployer( Read-only access to all application configuration and settings. To deploy new versions, you must also have theService Account User( Cannot modify existing versions other than deleting versions that are not receiving traffic. Lowest-level resources where you can grant this role:
|
|
App Engine Memcache Data Admin( Can get, set, delete, and flush App Engine Memcache items. |
|
App Engine Service Admin( Read-only access to all application configuration and settings. Write access to module-level and version-level settings. Cannot deploy a new version. Lowest-level resources where you can grant this role:
|
|
App Engine Standard Environment Service Agent( Give App Engine Standard Envirnoment service account access to managed resources. Includes access to service accounts. Warning: Do not grant service agent roles to any principals exceptservice agents. |
|
The predefined roles for App Engine provide you with finer grainedoptions for access control.
These roles only provide access to App Engine. If your project includesother services, such as Cloud Storage or Cloud SQL, you will need to assignadditional roles to enable access to the other services.
Comparison of App Engine predefined roles
The following table provides a complete comparison of the capabilities of eachpredefined App Engine role.
| Capability | App Engine Admin | App Engine Service Admin | App Engine Deployer | App Engine Viewer | App Engine Code Viewer |
|---|---|---|---|---|---|
| List all services, versions and instances | Yes | Yes | Yes | Yes | Yes |
| View all application, service, version, and instance settings | Yes | Yes | Yes | Yes | Yes |
| View runtime metrics such as resource usage, load information, and error information | Yes | Yes | Yes | Yes | Yes |
| View app source code | No | No | No | No | Yes |
| Deploy a new version of an app | Yes, if you also grant the Service Account User role | No | Yes, if you also grant the Service Account User role | No | No |
| Split or migrate traffic | Yes | Yes | No*** | No | No |
| Start and stop a version | Yes | Yes | No | No | No |
| Delete a version | Yes | Yes | Yes | No | No |
| Delete an entire service | Yes | Yes | No | No | No |
| Use SSH to connect to a VM instance in the flexible environment | Yes | No | No | No | No |
| Shut down an instance | Yes | No | No | No | No |
| Disable and re-enable the App Engine application | Yes | No | No | No | No |
| Access handlers that have a login:admin restriction (first generation runtimes only) | Yes | No | No | No | No |
| Update dispatch rules | Yes | No | No | No | No |
| Update DoS settings | Yes | No | No | No | No |
| Update cron schedules | No | No | No | No | No |
| Update default cookie expiration | Yes | No | No | No | No |
| Update referrers | Yes | No | No | No | No |
| Update Email API Authorized Senders | Yes | No | No | No | No |
For details about the specific IAM permissions that are granted by each role, see theRoles section of the Admin API.
Recommended role for application deployment
For an account that is responsibleonly for deploying new versions of an app,we recommend that you grant the following roles:
- App Engine Deployer role (
roles/appengine.deployer) Service Account User role (
roles/iam.serviceAccountUser)TheService Account User roleenables the account to impersonate the default App Engine service accountduring the deployment process.
If the account uses
gcloudcommands to deploy, add these roles as well:- Storage Object Admin (
roles/storage.objectAdmin) - Cloud Build Editor (
roles/cloudbuild.builds.editor)
- Storage Object Admin (
For details about how to grant the required permissions, seeCreating a user account.
Separation of deployment and traffic routing duties
Many organizations prefer to separate the task of deploying an applicationversion from the task of ramping up traffic to the newly created version, and tohave these tasks done by different job functions. The App Engine Deployer andApp Engine Service Admin roles provide this separation:
- App Engine Deployer plus Service Account User roles - Accounts are limited todeploying new versions and deleting old versions that are not serving traffic.The account with these roles won't be able to configure traffic to any versionnor change application-level settings such as dispatch rules or authenticationdomain.
- App Engine Service Admin role - Accounts cannot deploy a new version ofan app nor change application-level settings. However, those accounts haveprivileges to change the properties of existing services and versions,including changing which versions can serve traffic. The App Engine ServiceAdmin role is ideal for an Operations/IT department that handles ramping uptraffic to newly deployed versions.
Limitations of the predefined roles
None of the App Engine predefined roles grant access to the following:
- View and download application logs.
- View Monitoring charts in the Google Cloud console.
- Enable and Disable billing.
- Run security scans in Cloud Security Scanner.
- Access configuration or data stored in Datastore, Task Queues, CloudSearch or any other Cloud Platform storage product.
Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2025-12-15 UTC.